Homeland Security Presidential Directive 12 (HSPD-12) mandates establishment of an identification program for Federal Government employees. Among other things, it is to provide credential-controlled physical and logical access to facilities and information systems. A personal identity verification (PIV) card will be used to gain access, and such will comport with Federal Information Processing Standards (FIPS) promulgated by the Department of Commerce and the National Institute of Standards and Technology (NIST).
The GSA's Federal Acquisition Service also has launched programs providing assistance to Federal agencies, commissions, boards, organizations, militaries, etc. (hereafter collectively agencies), in producing compliant PIV cards. At a high level, they follow the four-steps of sponsorship, enrollment (including biometric identity information), adjudication and activation. In more detail, the steps include:
Sponsorship: An authorized federal employee (sponsor), per a given agency, submits a request for a PIV card on behalf of an applicant. The sponsor basically provides baseline identity information about the applicant, e.g., name, address, phone number, education, etc.
Enrollment: A designated registrar captures the baseline identity information, breeder documents and biometric identity information. Among the biometric identity information, the registrar collects fingerprints and takes a photograph of the applicant. Depending upon job level, they may also administer and/or collect toxicology reports (blood and/or urine test), DNA samples, retina scans or the like. The registrar also enters physical attributes (e.g., height, weight, hair color, eye color, blood type, etc.). Once collected, the biometric identity information is submitted to the Integrated Database Management System (IDMS) for storage. Three types of enrollment consist of: enrolling a never-before enrolled applicant; re-enrolling an applicant for issuance of a new PIV card after theft, loss, defect, etc.; and re-enrolling based on status change (i.e., change of agency or affiliation).
Adjudication (Inherently a Federal Government function): The applicant undergoes a background check, such as an FBI check and a NACI, and such is based upon, in whole or part, the collected enrollment information.
Activation: Upon successful adjudication, the applicant appears in person to receive their PIV card and is verified, such as by biometric authentication, e.g., optical scan, fingerprint match, etc. Second, various computing keys and certificates are generated and loaded on the card, such as placing an X.509 certificate on a PIV card, thereby provisioning the user to logical and physical access systems of the agency.
Also, it presently exists that certain software products are available in the marketplace for use in implementing one or more of the foregoing steps. One particular product is the Identity Assurance Solution (IAS) software offering, provided by Novell, Inc. (the assignee of this invention). In general, an Identity Manager (IDM) integrates logical security of a site based on Identity Smart Cards and Physical site management. The logical portion of IDM associates users to agencies and organizations using the physical and logical infrastructures and resources.
By way of the strictures of HSPD-12, however, current IAS software offerings only allow users to have one card. There may be situations now or in the future, though, where several federal agencies (and/or sub-agencies) share employees and/or the same IAS software offering. In such a situation, some users will be enrolled in multiple agencies, and will require a separate card for each agency, or a single card with multiple credentials. Completing the entirety of the steps of sponsorship, enrollment, adjudication and activation, per each agency, will introduce redundancies, since the biometric identity information of the user or applicant remains valid for certain periods of time (or indefinitely, depending upon the type of information) and adjudication is based on common principals
Accordingly, there is need in the art of employee cards to optimize existing resources. Particularly, there is need to provision users to more than one federal agency, by leveraging commonality in the GSA provisioning process. In that the art of providing employee cards is not limited to the federal government, or their disbursement of PIV cards, there is further need to supply state governments or other business enterprises with employee cards for different physical and logical access systems found at different locations. Because many computing configurations already have existing employee-card provisioning technology, it is further desirable to leverage existing configurations by way of retrofits, thereby avoiding the costs of providing wholly new products. Taking advantage of existing frameworks, such as the IAS software offering by Novell, Inc., is another feature in optimizing existing resources. Any improvements along such lines should further contemplate good engineering practices, such as automation, relative inexpensiveness, stability, ease of implementation, security, fraud protection, flexibility, etc.